Locky: the encryptor taking the world by storm

In February 2016, the Internet was shaken by an epidemic caused by the new ransomware Trojan Locky (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Locky). The Trojan has been actively propagating up to the present day. Kaspersky Lab products have reported attempts to infect users with the Trojan in 114 countries around the world.

Analysis of the samples has shown that this Trojan is a brand new ransomware threat, written from scratch. So, what is Locky, and how can we protect against it?

Propagation

In order to spread the Trojan, cybercriminals sent out mass mailings with malicious loaders attached to spam messages.

Initially, the malicious spam messages contained an attached DOC file with a macro that downloaded the Locky Trojan from a remote server and executed it.

We should note that in modern versions of Microsoft Office, automatic execution of macros is disabled for security reasons. However, practice shows that users often enable macros manually, even in documents from unknown sources, which may lead to some damaging consequences.

At the time of writing, the malicious spam is still being sent, but instead of the DOC files being attached there are now ZIP archives containing one or more obfuscated scripts in JavaScript. The messages are mostly in English, though some bilingual variants have appeared.

Spam message in English with the archive attached

Message in German and English with the archive attached

The user is prompted to manually launch the scripts.

Contents of the archive attached to the message

Fragment of the archived script

When launched, the script downloads the Locky Trojan from a remote server and launches it.

We should note that these statistics only include cases where the actual Trojan was detected, and does not include early-stage detections reported as malicious spam or malicious downloaders.

The geography of Trojan-Ransom.Win32.Locky attacks (number of attacked users)

As we can see, the Trojan carries out attacks in practically all regions of the world. We can assume which countries the cybercriminals see as their main targets based on the list of languages used on the ransom payment webpage (see details below).

How it works

The Locky Trojan is an executable file, about 100 kb in size. It is written in C++ using STL, and is compiled in Microsoft Visual Studio. When launching, it copies itself to %TEMP%\svchost.exe and deletes the NTFS data stream Zone.Identifier from its copy – this is done to ensure that when the file is launched, Windows does not display a notification saying that the file has been downloaded from the Internet and may be potentially dangerous. The Trojan then launches from %TEMP%.

Once launched, the Trojan checks for the presence and the contents of the below registry keys.

Path

Type

Value

HKEY_CURRENT_USER\Software\Locky\id

REG_SZ

Infection ID

HKEY_CURRENT_USER\Software\Locky\pubkey

REG_BINARY

Public RSA key in MSBLOB format

HKEY_CURRENT_USER\Software\Locky\paytext

REG_BINARY

Text shown to the victim

HKEY_CURRENT_USER\Software\Locky\completed

REG_DWORD

Status (whether encryption is completed)

If data already exists in the registry keys (this is the case if the Trojan has launched before, but its previous session aborted for some reason), Locky reads that data and continues with the infection process.

If launched for the first time, the Trojan performs the following actions:

Contacts C&C and reports infection;

Receives a public RSA-2048 key and infection ID from C&C, saves them in the registry;

Sends information about the language of the infected operating system, receives the cybercriminals’ ransom demand text that will be shown to the victim, saves the text in the registry;

Searches for files with specific extensions on local disk drives, encrypts them;

Searches for and encrypts files with specific extensions on network drives and on network file resources with no assigned drive letter;

Displays the cybercriminals’ ransom demands to the victim;

Terminates its process and removes itself.

Fragment of code that determines the language of the operating system

File encryption

The Trojan searches for files matching a given list of extensions. Then, these files are encrypted as described below.

List of file extensions that are subject to encryption

For each file that matches an extension on the list, the Trojan generates a new 128-bit key and encrypts the file’s contents with the algorithm AES-128 in CTR mode. The encrypted file is given the name <16 HEX characters as ID><16 random HEX characters>.locky. Then the following structure is added to the end of the file:

Ransom demands

After encrypting the user’s files, the Trojan displays the following message with the cybercriminals’ ransom demands.

Ransom demand in English

Ransom demand in German

The ransom message contains the address of the cybercriminals’ ‘secret server’ where they placed information about the ransom they demand for the decryption program. All four links in the message lead to the same website in the Tor network.

During the early spamming campaigns, the ransom payment page looked like this:

Early version of Locky’s ransom demand page

On this page, the cybercriminals suggested that the victims pay in bitcoins to decrypt the affected files on their computer. They also gave recommendations about where and how to get the cryptocurrency.

The contents and the design of the page changed with time. Today, the page is available in more than 20 languages (that can be selected from a dropdown list), and looks like this:

Latest version of Locky’s ransom payment page

If we look at the page’s source code, we will see a complete list of supported languages. The cybercriminals obviously see the corresponding countries as the main targets for this ransomware Trojan. Interestingly, Russian and other CIS languages are not on the list. For some reason the cybercriminals are not that keen on targeting users in countries where those languages are spoken – something that KSN statistics confirm.

List of languages supported on Locky ransom payment page

Communication with C&C

The Trojan’s code contains between one and three C&C IP addresses. On top of that, the code contains an algorithm generating new C&C addresses (DGA, domain generation algorithm) depending on the current day, month and year. With this algorithm, six C&C addresses are generated each day. The pseudo-code to illustrate the DGA Locky algorithm is highlighted in the screenshot below.

Pseudo-code of Locky C&C domain generation algorithm

Communication with a C&C is performed using the HTTP protocol. The Trojan sends a POST request to an address with the format http://<cnc_url>/main.php; the transmitted data is encrypted with a simple symmetric algorithm.

Let’s have a look at the possible types of transmitted parameters.

Notification about infection and request for key.id=<infection id>&act=getkey&affid=<partner id contained in the Trojan’s body>&lang=<language of the operating system>&corp=<whether the OS is a corporate OS>&serv=<whether the OS is a server OS>&os=<OS version>&sp=<version of OS service pack>&x64=<whether the OS is 32- or 64-bit>

Judging by the affid parameter, Locky is distributed via an affiliate, or partnership, program.

It should be noted that the cybercriminal collects very detailed statistics for each infection. Other ransomware families that we analyzed earlier were not this thorough at collecting statistics.

Countermeasures

Kaspersky Lab products protect against the Locky ransomware Trojan at all stages of the attack:

The anti-spam module detects emails sent by the Trojan’s distributors;

Script loaders are detected by static and heuristic signatures of email and file antivirus with the verdicts Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR:Trojan-Downloader.Script.Generic;

The Trojan’s executable file is detected by file antivirus signatures as Trojan-Ransom.Win32.Locky;

Unknown samples of Locky are proactively detected by the System Watcher module with the verdict PDM:Trojan.Win32.Generic.

Preventing infections

Locky is a typical ransomware Trojan, and it exhibits no major differences from other ransomware families in its internal arrangement or its principles of operation. However, it caught the attention of researchers because it was so active and so widespread. According to KSN data, Kaspersky Lab products have blocked Locky attacks in over 100 countries around the world – no other ransomware Trojan to date has attacked so many countries at once.

To protect yourself from this ransomware Trojan, follow these preventive measures:

Do not open attachments in emails from senders you don’t know;

Back up your files on a regular basis and store the backup copies on removable storage media or in cloud storages – not on your computer;

Regularly run updates for your antivirus databases, operating system and other software installed on your computer;

Create a separate network folder for each user when managing access to shared network folders.

For more detailed information about protection from ransomware Trojans, please follow this link.

these measures are not really practical in any sense. they are ‘cool’ as they would put our RE skills to test. but that’s really as far as it goes. If you are worried you or your users might be the future target of such ransomwares, you should invest in a proper solution.

I’m an victim of the Locky virus. All of word files and excel files are encrypted to locky file…however, i have forgottent backup, so can you help me decrypt those locky files to word and excel files… Thank you so much.

Unfortunately, my parents’ computer has been attacked by zepto. Luckily, I have an old backup from 2014 which is almost identical to an external drive that was encrypted by Zepto, which is from the penultimate time my parents’ computer died of mysterious reasons (there are more!). Are there any tools where key-guessing could be employed using a comparison of files in the two drives? I’m looking to recover their files from late 2014-2016.

Jason Martin, Our company’s server got infected with .thor as well. A careless employee clicked on an email attachment and the trojan was on his computer, but infected the srever as well. I hope there is a decryption method soon. All of our companys historical data has been encrypted.

As known recently most of users have been infected ransomware virus which changes all important documents like (pdf,doc,docx, xls,xlsx,dwg,mp3,mp4,mpeg,avi,vb) to “.vvv, .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .xxx, .ttt, .micro, .mp3, .xtbl, .cerber, .enc, .encrypted” and no extension on last version” are encrypted and not usable/readable unfortunately. I can help infected users to decrypt their files, you can contact with me with below email address if you or one of your friend had been infected this kind of virus.

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.